Android security: surviving the toxic hellstew

With an 87% global market share, it’s no wonder that Android devices are attracting malware authors like circling vultures – much to Apple’s delight.

There’s a kind of hackers’ arms race going on as they compete to plant nastier and nastier bugs on Android phones. The latest arrival is ransomware, which infects and encrypts your files then (sometimes) releases your data if you pay a ransom of typically tens or hundreds of dollars.

On 9 June Kaspersky blogger Roman Unuchek announced Pletor as “the first mobile encryptor”, saying: “On 30 May a unique encryption Trojan that works on Android went on sale on a virus writers’ forum. The asking price – $5,000. A few days later on May 18, we saw the appearance of a new mobile encryptor Trojan in the wild that we detect as Trojan-Ransom.AndroidOS.Pletor.a. By June 5, we had detected over 2,000 infections in 13 countries.”

A few days earlier, researchers at ESET had outed Simplocker, also described as “the first file-encrypting ransomware for Android”.

But whichever ransomware has the honour of being first, the trend of escalating threats targeting Android suggests both that it is popular and ‘fair game’, because the operating system is vulnerable to hacking. Hence, the statistic from F-Secure in March that while Android enjoys 87% of the global smartphone market, it attracts 97% of all mobile malware.

Toxic hellstew

This was a theme cheerfully taken up by Apple CEO Tim Cook in his keynote speech at the company’s Worldwide Developers Conference on 2 June.

Cook quoted a recent article by ZDNet author Adrian Kingsley-Hughes which said Android’s fragmentation was producing “a toxic hellstew of vulnerabilities” across these devices.

Underlining his point with a graphic slide of a burning ‘hellstew’, Cook suggested that over 130 million people who bought an iOS device in the past 12 months were buying their first Apple device – and many of them were switching from Android.

Cook’s message was that Apple drives users to adopt the latest (and safest) version of its iOS operating system, so that almost 90% of users are running the latest version – the exact opposite of Android, where less than 10% of users are running the latest version, KitKat. As a result, those people are missing out on security updates.

Android vs Apple

So is Cook right? The answer is, yes and no.

Firstly, Apple iPhones have their share of bugs, as Fortinet blogger Axelle Apvrille pointed out in this 9 June posting which usefully lists them all out. But Apvrille also admitted there are far fewer than on Android.

Responding to Cook borrowing his ‘toxic hellstew’ phrase, ZDNet’s Kingsley-Hughes pinpointed the problem: “Android itself is a strong operating system, but the way that the platform is delivered to end-users is critically flawed.”

Unlike iOS, where updates are sent to users directly, Google releases any Android update to the OEMs and phone manufacturers first, so they can customise it with their own tweaks and personalisations.

The problem with that, said Kingsley-Hughes, is: “Neither the OEMs nor the carriers feel there’s much of a benefit in pushing free software updates to customers, and would much rather focus on selling those people a new device.”

This analysis was supported by one of the UK’s leading mobile security experts, Rob Miller of MWR InfoSecurity, when he spoke at the recent BSides security conference in London.

But in line with Kingsley-Hughes, Miller said most Android phone manufacturers simply aren’t including these more up-to-date features – because security doesn’t sell.

“Unfortunately, all these great security features are not being used. The simple issue is right now, apparently you cannot sell a phone to the market saying ‘this is the most secure one’. You’ve got to have features. The drive to market is new features, not best security.

“The simple conclusion is you have the manufacturers, the network operators, it’s such a rush to get the new features that they are not taking advantage of these new security features or worse they’re actually poking holes in the walls.”

And so Miller grimly demonstrated how MWR had been able to easily hack two unnamed but flagship Android phones – “the best” offered by their respective manufacturers – even before the user had installed any potentially vulnerable apps themselves.

Looking forward, Miller is calling for a campaign to pressure the phone companies into cleaning up their act.

“There will be a lot of issues like this, I absolutely guarantee it, because currently these vulnerabilities are kind of being ignored by the manufacturers. If enough of us make enough noise, maybe they’ll start doing something about it.”

Conclusion

Android phone users deserve devices that make use of the latest security features. That requires combined action by Google, the OEMs and phone manufacturers involved – if for no other reason than millions of people are currently switching back to Apple phones.

In the meantime, Rob Miller advised: “You have to plan and know that Android can be undermined. For any security currently put on an Android smartphone, the apps that are on that phone can be compromised. Our research shows that for brand-new devices these issues still exist. This issue is not going away any time soon.”